Cybersecurity threats and internet fraud are growing concerns for oil and gas service companies in the Permian Basin. While high-profile breaches involving major corporations make the headlines, cybercriminals are not targeting big companies exclusively. According to Accenture’s 2023 Cost of Cybercrime Study, 43 percent of cyberattacks target small businesses.
In the oil and gas industry, companies often store sensitive operational, financial, and personal data—ranging from employee information to proprietary client data—making them prime targets for cybercriminals. With a high volume of vendor transactions, joint ventures, and data sharing, one breach can result in significant financial loss, operational downtime, and reputational damage.
Below are common theft and fraud risks oil and gas services companies should be aware of, along with strategies for mitigating them.
Wire/ACH Fraud
“Spear-phishing” is a form of business email compromise wherein criminals send company employees fraudulent emails that appear to be from a trusted sender to trick them into revealing confidential information or initiating fraudulent payments. Criminals use this prime tactic to attempt wire or ACH fraud, targeting businesses of all sizes.
Unfortunately, we have recently seen a handful of American Momentum Bank clients fall victim to wire fraud. In those cases, cybercriminals hacked into a company’s email account and sent a legitimate-looking email to accounts payable, providing new bank account information for future payments. It was not until after the payments went through that the companies realized they had wired money into a cybercriminal’s account instead of paying their own vendor.
To protect against cybercrimes that could result in ACH or wire fraud, oil and gas services companies should be hyper-vigilant. When asked to send money electronically, first verbally verify any electronic payment instructions directly with the vendor before initiating payment, rather than relying on email communication alone. Additionally, train employees on how to identify fraudulent emails by recognizing potential red flags.
Data Breaches
Any organization that collects Personally Identifiable Information (PII)—including employee records, vendor payment details, and client contact information—is at risk of a data breach. Oil and gas services companies are no exception.
Data breaches occur when cybercriminals gain unauthorized access to a company’s systems or networks. Once inside, they can steal, copy, or lock sensitive information, such as personal, financial, and operational data. A breach can result in substantial losses, including theft, attorney fees, forensic investigations, credit monitoring for affected individuals, regulatory fines, and potential contract losses.
Additionally, oilfield service companies face financial risks associated with noncompliance with state and federal cybersecurity regulations. Texas’ breach law and federal energy mandates can require rapid reporting and remediation. Missing deadlines can trigger fines, legal costs, and lost contracts, making it critical to integrate compliance into cybersecurity policies from the start.
To reduce these risks, companies should work with an in-house IT team or a managed service provider to deploy a layered cybersecurity program that actively monitors, detects, and prevents intrusions—especially in operational hubs like Midland and Odessa, where remote work and mobile data access are common but where such practices increase risk.
Malware and Spyware Threats
Malware and spyware are two methods cybercriminals employ to attempt a data breach. Malware is malicious software designed to infiltrate and damage computer systems, while spyware secretly collects user data for malicious use. Both can result in disrupted operations, stolen sensitive files, and significant financial losses.
Oil and gas companies, especially those with field operations connecting back to central systems, face increased vulnerability due to the variety of devices and networks in use.
Again, companies should work closely with their IT teams to train staff to recognize suspicious files and links and implement a robust cybersecurity program to mitigate these costly risks.
Additional Protection Strategies for O&G Service Companies
In addition to establishing protocols to protect from wire fraud and implementing training and technology safeguards to protect against data breaches, companies should consider:
- Implementing banking controls—Work with your financial institution to add verification steps for high-value transactions, such as requiring call-backs or unique authorization codes. Additionally, request that your bank implement Positive Pay—or a similar product—an automated fraud detection tool. This service matches the account number, check number, dollar amount, and payee of each check presented for payment against a list of checks previously authorized and issued by the company. This is one of the strongest ways to proactively detect check fraud.
- Investing in cyber insurance—This type of insurance coverage can help offset financial losses caused by cyberattacks, data breaches, or fraud, and may also cover legal and regulatory expenses. Contact an insurance agent to explore opportunities for this type of coverage.
- Developing and testing an incident response plan—Outline how the company will respond during a cyberattack, including communication, containment, and recovery steps. Regular tabletop exercises with leadership, IT, and operations teams help identify weaknesses. In the oil and gas industry, quick, decisive action can prevent costly downtime and protect revenue.
In today’s oilfield economy, the financial consequences of cybercrime can be as damaging as an operational shutdown. By partnering with a trusted financial institution and combining sound cybersecurity practices with proven financial controls, oil and gas service companies can better protect their bottom line and maintain the trust of clients and partners across the Permian Basin.
Gregg Simmons
Greg Simmons is Odessa Market President at American Momentum Bank. He can be reached at gsimmons@americanmomentum.bank and (432) 368-3726.
Leave a Reply